RedHook Returns with a Dangerous Upgrade#2502
Open
carlospolop wants to merge 1 commit into
Open
Conversation
Collaborator
Author
🔗 Additional ContextOriginal Blog Post: https://group-ib.com/blog/redhook-android-rat-upgraded Content Categories: Based on the analysis, this content was categorized under "Mobile Pentesting > Android Applications Pentesting > Accessibility Services Abuse and Shizuku Privileged API; optionally cross-reference Android persistence and ADB/Wireless Debugging abuse". Repository Maintenance:
Review Notes:
Bot Version: HackTricks News Bot v1.0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 Automated Content Update
This PR was automatically generated by the HackTricks News Bot based on a technical blog post.
📝 Source Information
🎯 Content Summary
Overview
RedHook is an Android Remote Access Trojan (RAT) that combines social engineering, phishing, Accessibility-service abuse, ADB Wireless Debugging, and code heavily derived from the open-source Shizuku framework. After convincing a victim to sideload the APK and enable its Accessibility service, RedHook autonomously pairs an embedded ADB client with the infected device's own ADB daemon through
127.0.0.1. It then la...🔧 Technical Details
Accessibility-assisted security configuration: Once an Android application has Accessibility access, it can inspect UI trees, simulate gestures and text entry, navigate Settings, and activate security-sensitive features. A malicious application can hide this automation behind a full-screen overlay, tap the build number seven times, enable Developer Options and Wireless Debugging, open pairing-code mode, and read the displayed pairing code without making the underlying Settings workflow visible to the victim.
Self-hosted ADB Wireless Debugging: Wireless Debugging allows an Android device to act as both ADB host and target. An embedded ADB client can pair with and connect to the same device's ADB daemon over the loopback interface
127.0.0.1. This removes the normal requirement for a computer or USB connection and turns a locally enabled debugging interface into an on-device route to shelluid 2000.Borrowing shell identity through...
🤖 Agent Actions
Using deferred tool discovery to find the repo/file inspection tools needed for this HackTricks update.
The local exec tool requires a dedicated task-steps tool first, so I’m locating that specific tool now.
Initializing the required Chack task board now, then I’ll inspect the Android/mobile documentation files.
Applying a single-file update to the Shizuku page with the missing RedHook-style abuse chain, persistence caveats, and technical detection notes.
Done — I updated:
src/mobile-pentesting/android-app-pentesting/shizuku-privileged-api.mdAdded concise technical coverage of:
127.0.0.1uid 2000BIND_AUTO_CREATE,BOOT_COMPLETED,oom_score_adj,mlock(),MediaSession,WakeLock)I also added the Group-IB blog to the file’s
## Referencessection and verified the final file structure.This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.